1 /*
2 * Copyright (c) 1999,2001,2003-2004 Todd C. Miller <Todd.Miller@courtesan.com>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
16 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
17 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18 *
19 * Sponsored in part by the Defense Advanced Research Projects
20 * Agency (DARPA) and Air Force Research Laboratory, Air Force
21 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
22 */
23
24 #include "config.h"
25
26 #include <sys/types.h>
27 #include <sys/param.h>
28 #include <stdio.h>
29 #ifdef STDC_HEADERS
30 # include <stdlib.h>
31 # include <stddef.h>
32 #else
33 # ifdef HAVE_STDLIB_H
34 # include <stdlib.h>
35 # endif
36 #endif /* STDC_HEADERS */
37 #ifdef HAVE_STRING_H
38 # include <string.h>
39 #else
40 # ifdef HAVE_STRINGS_H
41 # include <strings.h>
42 # endif
43 #endif /* HAVE_STRING_H */
44 #ifdef HAVE_UNISTD_H
45 # include <unistd.h>
46 #endif /* HAVE_UNISTD_H */
47 #include <pwd.h>
48 #include <krb5.h>
49
50 #include "sudo.h"
51 #include "sudo_auth.h"
52
53 #ifndef lint
54 static const char rcsid[] = "$Sudo: kerb5.c,v 1.23 2004/06/07 00:02:56 millert Exp $";
55 #endif /* lint */
56
57 #ifdef HAVE_HEIMDAL
58 # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
59 # define krb5_free_data_contents(c, d) krb5_data_free(d)
60 # define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 /* XXX */
61 #else
62 # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
63 #endif
64
65 static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
66 static struct _sudo_krb5_data {
67 krb5_context sudo_context;
68 krb5_principal princ;
69 krb5_ccache ccache;
70 } sudo_krb5_data = { NULL, NULL, NULL };
71 typedef struct _sudo_krb5_data *sudo_krb5_datap;
72
73 extern const krb5_cc_ops krb5_mcc_ops;
74
75 int
kerb5_init(pw,promptp,auth)76 kerb5_init(pw, promptp, auth)
77 struct passwd *pw;
78 char **promptp;
79 sudo_auth *auth;
80 {
81 krb5_context sudo_context;
82 krb5_ccache ccache;
83 krb5_principal princ;
84 krb5_error_code error;
85 char cache_name[64];
86 char *pname;
87
88 auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
89
90 if ((error = krb5_init_context(&(sudo_krb5_data.sudo_context))))
91 return(AUTH_FAILURE);
92 sudo_context = sudo_krb5_data.sudo_context;
93
94 if ((error = krb5_parse_name(sudo_context, pw->pw_name,
95 &(sudo_krb5_data.princ)))) {
96 log_error(NO_EXIT|NO_MAIL,
97 "%s: unable to parse '%s': %s", auth->name, pw->pw_name,
98 error_message(error));
99 return(AUTH_FAILURE);
100 }
101 princ = sudo_krb5_data.princ;
102
103 /*
104 * Really, we need to tell the caller not to prompt for password.
105 * The API does not currently provide this unless the auth is standalone.
106 */
107 #if 1
108 if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
109 log_error(NO_EXIT|NO_MAIL,
110 "%s: unable to unparse princ ('%s'): %s", auth->name,
111 pw->pw_name, error_message(error));
112 return(AUTH_FAILURE);
113 }
114
115 /* Only rewrite prompt if user didn't specify their own. */
116 /*if (!strcmp(prompt, PASSPROMPT)) { */
117 easprintf(promptp, "Password for %s: ", pname);
118 /*}*/
119 free(pname);
120 #endif
121
122 /* For CNS compatibility */
123 if ((error = krb5_cc_register(sudo_context, &krb5_mcc_ops, FALSE))) {
124 if (error != KRB5_CC_TYPE_EXISTS) {
125 log_error(NO_EXIT|NO_MAIL,
126 "%s: unable to use Memory ccache: %s", auth->name,
127 error_message(error));
128 return(AUTH_FAILURE);
129 }
130 }
131
132 (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
133 (long) getpid());
134 if ((error = krb5_cc_resolve(sudo_context, cache_name,
135 &(sudo_krb5_data.ccache)))) {
136 log_error(NO_EXIT|NO_MAIL,
137 "%s: unable to resolve ccache: %s", auth->name,
138 error_message(error));
139 return(AUTH_FAILURE);
140 }
141 ccache = sudo_krb5_data.ccache;
142
143 if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
144 log_error(NO_EXIT|NO_MAIL,
145 "%s: unable to initialize ccache: %s", auth->name,
146 error_message(error));
147 return(AUTH_FAILURE);
148 }
149
150 return(AUTH_SUCCESS);
151 }
152
153 int
kerb5_verify(pw,pass,auth)154 kerb5_verify(pw, pass, auth)
155 struct passwd *pw;
156 char *pass;
157 sudo_auth *auth;
158 {
159 krb5_context sudo_context;
160 krb5_principal princ;
161 krb5_ccache ccache;
162 krb5_creds creds;
163 krb5_error_code error;
164 krb5_get_init_creds_opt opts;
165
166 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
167 princ = ((sudo_krb5_datap) auth->data)->princ;
168 ccache = ((sudo_krb5_datap) auth->data)->ccache;
169
170 /* Initialize options to defaults */
171 krb5_get_init_creds_opt_init(&opts);
172
173 /* Note that we always obtain a new TGT to verify the user */
174 if ((error = krb5_get_init_creds_password(sudo_context, &creds, princ,
175 pass, krb5_prompter_posix,
176 NULL, 0, NULL, &opts))) {
177 if (error == KRB5KRB_AP_ERR_BAD_INTEGRITY) /* Bad password */
178 return(AUTH_FAILURE);
179 /* Some other error */
180 log_error(NO_EXIT|NO_MAIL,
181 "%s: unable to get credentials: %s", auth->name,
182 error_message(error));
183 return(AUTH_FAILURE);
184 }
185
186 /* Stash the TGT so we can verify it. */
187 if ((error = krb5_cc_store_cred(sudo_context, ccache, &creds))) {
188 log_error(NO_EXIT|NO_MAIL,
189 "%s: unable to store credentials: %s", auth->name,
190 error_message(error));
191 } else {
192 error = verify_krb_v5_tgt(sudo_context, ccache, auth->name);
193 }
194
195 krb5_free_cred_contents(sudo_context, &creds);
196 return (error ? AUTH_FAILURE : AUTH_SUCCESS);
197 }
198
199 int
kerb5_cleanup(pw,auth)200 kerb5_cleanup(pw, auth)
201 struct passwd *pw;
202 sudo_auth *auth;
203 {
204 krb5_context sudo_context;
205 krb5_principal princ;
206 krb5_ccache ccache;
207
208 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
209 princ = ((sudo_krb5_datap) auth->data)->princ;
210 ccache = ((sudo_krb5_datap) auth->data)->ccache;
211
212 if (sudo_context) {
213 if (ccache)
214 krb5_cc_destroy(sudo_context, ccache);
215 if (princ)
216 krb5_free_principal(sudo_context, princ);
217 krb5_free_context(sudo_context);
218 }
219
220 return(AUTH_SUCCESS);
221 }
222
223 /*
224 * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
225 *
226 * Verify the Kerberos ticket-granting ticket just retrieved for the
227 * user. If the Kerberos server doesn't respond, assume the user is
228 * trying to fake us out (since we DID just get a TGT from what is
229 * supposedly our KDC). If the host/<host> service is unknown (i.e.,
230 * the local keytab doesn't have it), return success but log the error.
231 *
232 * This needs to run as root (to read the host service ticket).
233 *
234 * Returns 0 for successful authentication, non-zero for failure.
235 */
236 static int
verify_krb_v5_tgt(sudo_context,ccache,auth_name)237 verify_krb_v5_tgt(sudo_context, ccache, auth_name)
238 krb5_context sudo_context;
239 krb5_ccache ccache;
240 char *auth_name; /* For error reporting */
241 {
242 char phost[BUFSIZ];
243 krb5_error_code error;
244 krb5_principal princ;
245 krb5_data packet;
246 krb5_keyblock *keyblock = 0;
247 krb5_auth_context auth_context = NULL;
248
249 packet.data = 0;
250
251 /*
252 * Get the server principal for the local host.
253 * (Use defaults of "host" and canonicalized local name.)
254 */
255 if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
256 KRB5_NT_SRV_HST, &princ))) {
257 log_error(NO_EXIT|NO_MAIL,
258 "%s: unable to get host principal: %s", auth_name,
259 error_message(error));
260 return(-1);
261 }
262
263 /* Extract the name directly. Yow. */
264 strlcpy(phost, extract_name(sudo_context, princ), sizeof(phost));
265
266 /*
267 * Do we have host/<host> keys?
268 * (use default keytab, kvno IGNORE_VNO to get the first match,
269 * and enctype is currently ignored anyhow.)
270 */
271 if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
272 ENCTYPE_DES_CBC_MD5, &keyblock))) {
273 /* Keytab or service key does not exist. */
274 log_error(NO_EXIT,
275 "%s: host service key not found: %s", auth_name,
276 error_message(error));
277 error = 0;
278 goto cleanup;
279 }
280 if (keyblock)
281 krb5_free_keyblock(sudo_context, keyblock);
282
283 /* Talk to the kdc and construct the ticket. */
284 error = krb5_mk_req(sudo_context, &auth_context, 0, "host", phost,
285 NULL, ccache, &packet);
286 if (auth_context) {
287 krb5_auth_con_free(sudo_context, auth_context);
288 auth_context = NULL; /* setup for rd_req */
289 }
290
291 /* Try to use the ticket. */
292 if (!error)
293 error = krb5_rd_req(sudo_context, &auth_context, &packet, princ,
294 NULL, NULL, NULL);
295 cleanup:
296 if (packet.data)
297 krb5_free_data_contents(sudo_context, &packet);
298 krb5_free_principal(sudo_context, princ);
299
300 if (error)
301 log_error(NO_EXIT|NO_MAIL,
302 "%s: Cannot verify TGT! Possible attack!: %s", auth_name,
303 error_message(error));
304 return(error);
305 }
306